0xKartikgiri00 - `initialize` function not disabled in `AmirX` contract.

[sherlock-admin4]

0xKartikgiri00

high

initialize function not disabled in AmirX contract.

Summary

The contract AmirX does not call the _disableInitializers() function in its constructor, which leads to make the contract unpaused if it is meant to be paused.

Vulnerability Detail

The contract AmirX contract does not call _disableInitializers() function in its constructor. Which makes the implementation contract to call initialize function even after it is called by the proxy. The calling of initialize function again in implementation contract will make the contract unpaused if it is paused.

Impact

If the contract is meant to be paused the calling of initialize function again in implementation contract will make the contract unpaused.

Code Snippet

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/swap/AmirX.sol#L49

Tool used

Manual Review

Recommendation

Call the _disableInitializers() function in the constructor of the AmirX contract to prevent the execution of initialize functions after it is called by proxy or called on implementation contract. Recommendation in code:-

 /// @custom:oz-upgrades-unsafe-allow constructor
+  constructor() {
+    _disableInitializers();
+  }

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

when the initialize function is called; it triggers the initializer modifier which restricts repeated intialization

[kartik-giri]

The initilaize() function can be called from implementation contract even when it has been deployed if we don't implement _disableInitializers().